不要ASP.NET Web表单验证单选按钮的价值? [英] Do ASP.NET web forms validate the radio button value?
问题描述
我有一个包含一个单选按钮列表中的ASP.NET Web窗体。每个单选按钮具有与其相关联的值。单选按钮列表具有验证器控制,以确保至少一个按钮被选中。
I have an ASP.NET web form that contains a radio button list. Each radio button has a value associated with it. The radio button list has a validator control to ensure that at least one button is checked.
<input name="Country" value="US" id="CountryUS" type="radio" runat="server" />
<input name="Country" value="Other" id="CountryOther" type="radio" runat="server" />
据我了解,HTTP单选按钮转换成名称/值对,其中名称是单选按钮的名称和值是关联的值(它不是真/假)。
As I understand it, HTTP converts a radio button into a name/value pair where the name is the name of the radio button and the the value is the associated value (it is NOT true/false).
如果第一个单选按钮被选中,HTTP流量将
If the first radio button is checked, the HTTP traffic will be
Country=US
如果第二个被选中,HTTP流量将
and if the second one is checked, the HTTP traffic will be
Country=Other
因此,该值是免费的,明确要与(例如用帕罗)几乎一样容易被篡改作为查询字符串可以被篡改。
Consequently the value is free and clear to be tampered with (e.g. with Paros) almost as easily as the query string can be tampered with.
Country=Other'+DROP+TABLE+Users
通常一个页面上,你会叫page.Validate()来触发服务器端验证。在这种情况下,然而单选按钮验证是一个简单的选择的索引验证器。 有没有验证,明确检查值
我怎么知道客户没有与价值篡改?难道是在ViewState中复制,并且不ASP.NET自动检查呢?或者,可以将黑客把他们在那里想要的东西,并essentally注入串到我的系统(除非我手动验证它在code)?
How do I know the client hasn't tampered with the Value? Is it duplicated in ViewState, and does ASP.NET automatically check it? Or can a hacker put anything they want in there and essentally inject a string into my system (unless I manually validate it in code)?
推荐答案
使用我已经确定了以下实验少量的:
With a small amount of experimentation I have determined the following:
-
的单选按钮上面的表格/后确实过去了,很容易被篡改的价值。在我的测试程序,我的价值篡改与一些jQuery设置它,但它可以很容易地帕罗斯或中间人进行修改(假设没有加密)。
The "Value" of the radio buttons above is indeed passed in the form/post, and can easily be tampered with. In my test app I tampered with the value by setting it with some jquery, but it could just as easily be modified in Paros or with MITM (assuming no encryption).
这是在表格/后传递的值不是由rboControl.Value返回的值相同。事实上,只有这样,才能得到它与的Request.Form [字段名]。
The value that is passed in the form/post is not the same value that is returned by rboControl.Value. In fact the only way to get it is with Request.Form["field name"].
这是从rboControl.Value返回的值总是在标记本身的价值。因此,它是不容易被篡改。
The value that is returned from rboControl.Value is always the value in the markup itself. So it is not vulnerable to tampering.
这是从rboControl.Checked返回值似乎是等同于前pression(rboControl.Value ==的Request.Form [字段名])。如果该值不匹配任何控件,他们没有返回选中=真。
The value that is returned from rboControl.Checked appears to be equivalent to the expression (rboControl.Value == Request.Form["Field Name"]). If the value doesn't match any of the controls, none of them return Checked = true.
以上所有的陈述是真实与否视图状态有问题的控制已启用。
All of the above statements are true whether or not view state is enabled for the control in question.
以上所有的说法是正确的,无论是否已启用页面事件验证。
All of the above statements are true regardless of whether you have enabled page event validation.
因此,要回答我的问题,是的,单选按钮值通过白名单验证在服务器端,这验证自动发生。
So to answer my own question, YES, the radio button value is validated via white list on the server side, and this validation happens automatically.
编辑:
有没有类似性质的,但是,下拉控制一些更多的测试。同样的发现。此外,如果您启用网页事件验证,ASP将抛出一个异常,如果表单/岗位价值不匹配任何在DropDownList标记的物品的价值(或编程,添加在ViewState中坚持)。其中,以机智,使其无法在客户端上添加额外的列表项。
Did some more testing of a similar nature but on drop down controls. Same finding. In addition, if you have page event validation enabled, ASP will throw an exception if the form/post value does not match the value of any of the items in the dropdownlist markup (or added programmatically, as persisted in ViewState). Which, to wit, makes it impossible to add additional list items on the client side.
这篇关于不要ASP.NET Web表单验证单选按钮的价值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
